Are you down with BCP? Yeh, you know me!

01 Jun Are you down with BCP? Yeh, you know me!

Business continuity planning is much more than just a fancy way of saying “Back-up”. Modern threats require modern solutions and proper BCP planning is no longer a nice to have, but a mandatory requirement for most businesses at some scale. If 2017 taught the cybersecurity world anything, it’s we are going to be facing more and more complex threats, some of which can crash entire office networks or shut down manufacturing plants.

By developing BCP procedures you are making the responsible choice, and showing to your shareholders and staff that you are proactive in the security of the company and their livelihoods.

BCP, but why?

Nobody can predict the future, but no matter where you work in the world or what sector, there is at least some chance that an unforeseen circumstance will disrupt you or your company. In an emergency situation your employees may not be able to work, suppliers may have shortages or your services may decrease in demand. Any of these elements can cause your business to cease, possibly permanently. The equation should be how should I invest in a BCP strategy. Not if you should.

Okay, I am sold – how do I BCP?

Well, you can’t eat the whole elephant all at once, you need to think about the core functions of your business. In the case of emergency do I need a full disaster site, or can I have my employees work from home? Some data is more important than others, what data needs to be backed up and where and how do I recover this data (a lot of people forget the recovering part).

1: Threat analysis.

Are you in a floodplain? Is your city’s electrical supply erratic? Some threats can destroy your entire office, others can destroy your infrastructure. A power outage is usually a minor issue if you have a backup generator, but what happens if a flood renders electricity at your office down for days and weeks? You are going to need a backup. A business continuity plan outlines a range of disaster scenarios and the steps that your business needs to take in any scenario to return to regular trade. So you can be as broad as you would like.

2: This sounds expensive…

Typically there are 3 types of cost associated with a disaster (1) Unproductive loss costs, IE you’re paying personnel but they cannot perform their function (2) Revenue loss – your inability for your make sales due to your operation being down and (3) the long-term effects of customer dissatisfaction. Often the most costly, the loss of reputation can tarnish a brand – one extreme example is a Law Firm was locked down for 3-months due to the Petya ransomware – they are unlikely to make a swift business come back.

3: Acceptable recovery time:

A business doing $1000 dollars a day, and one doing $1,000,000 a day may have different scopes for acceptable downtime. How quickly you need to recover and what you need to recover will greatly influence the budget required to provide you with a solution.

4: Who is in charge?

Establish a clear chain of command, assign decision making authority and what are the core areas of responsibility. Document the policies and store them off-site in case they need to be retrieved. Generally, too many cooks spoil the broth, so it’s best to establish an Emergency Preparedness Team, made up of some core personnel.

5: The bare necessities:

Outline your mission-critical applications and services – these are the parts of the business that need the most rigorous and full-proof strategy. Core elements are parts of your business which in the instance of failure can bring down a business unit. If you are struggling to differentiate what elements of your business need priority, get each department to write out an essentials list and then rank them based on their negative impact should they fail. Each of essentials should be broken down into; (1) absolute essentials, (2) short-term suspension acceptable, (3) extended suspension acceptable.

6: Budget Time:

Okay, now you have critiqued potential threats, how much it will cost you and what is the acceptable downtime. All of these are core ingredients for the type of budget you are going to need to meet your demands. This is the most common challenge for businesses when trying to develop a BCP plan – getting an adequate budget to meet their business needs.

7: Skill inventory:

Not only do you need to evaluate the technological elements are necessary for business continuity, but also the skills your employees have that are necessary. Your marketing team may not be mission critical, but a member staff with a license to operate heavy machinery may well be, or your IT director should you need to utilize Veeam data restore.

8: Off-site backup:

A core element of any rigorous business continuity plan will address restoration of your companies key digital data if all or some of it is destroyed. Too many companies invest a lot of time in money in server storage on site in a single location. If a tornado or flood destroys the server room, that data is also gone.

Ideally, you would store removable copies of data in a different location, that can be retrieved – or hold data in the cloud. For maximum efficiency utilizing deduplication when storing will save you cost.

9: Disaster Recovery Site:

The core principle of a BCP plan is to design a clear plan for setting up operations at an alternative location. The best way is to have clear guidelines and access to an empty facility or “disaster recovery site”. Most IT managed service providers can allow you to rent disaster recovery locations.

10: Alternative Communications Strategy:

Okay, you have your plan, your team leaders, acknowledgment of core processes and a method of restoring them to an alternative location. The final part of the puzzle – time for communication. How are employees going to stay in contact with each other and how will they access your network/environment. Can employees who work remotely leverage VPN access? Are their alternative email addresses? Do you have an address book with mobile numbers?

It’s important that everyone knows where they need to be in disaster this should be prepared by your emergency preparedness team. As explained some core staff will need to work at the disaster recovery site, some might be able to work remotely – but of course, they should all be able to interact.

Et Voila, there you have it. Some solid guidelines for YOUR BCP plan. It’s advised that every company at the very least has some rough protocol.

Sean Allan is from the Aware Group, a Technology company witnessing the continued rise of cyber threats across industries.